It has come to my attention that there is an item duplication vulnerability in this mod. I consider this a serious vulnerability as this mod is used on a large number of servers, and I urge server owners to update immediately. I have submitted a pull request to the original developers but in the meantime you can get the fixed version from my fork. The pull request has now been merged into the main repository and is included in the latest release of the mod.

More details regarding the vulnerability can be requested via private message. Details regarding the vulnerability cannot be supplied via private message as my account is too new to use the private message feature.

Last edited by micheal65536 on Sun Feb 11, 2018 18:52, edited 1 time in total.

Via PM I will explain the details of exactly how the vulnerability worked. I feel that from the code it will still take some effort to figure out the vulnerability, as I had read through this code many times and even used similar code in my own mods before I discovered this.

The pull request has now been merged to the main repository and version 0.4.11 has been released including the fix. I strongly advise that server owners update to this release immediately. I will be releasing the full explanation of the vulnerability in a few weeks' time, to give server owners a chance to update while allowing future developers to learn to avoid similar vulnerabilities in the future.

If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).

Enrikoo wrote:If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).

I don't know if you're just ranting about the 3d_armor mod in general or what your problem is but a lot of servers use it (whether you agree with it or not) and they should absolutely update unless they want their server to be vulnerable. There are no functional changes between the previous version and this one, only bugfixes.

If a server owner is insistent on continuing to use an even older version then I highly suggest that they examine the relevant commit and apply it over whatever version they're using unless they want players to be able to obtain unlimited items fairly easily (I have evidence to suggest that this vulnerability is being exploited "in the wild" on at least one server). This should be considered on the same level as the creative vulnerability from July 2017 (and possibly also the locked chest vulnerability from September 2017) due to the popularity of this mod.

Bump. Please be advised that a full explanation of the vulnerability will be released on the 12th of March so to keep your server secure you should update before then (if you haven't already). The latest version can be obtained from the official repository.

Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.

rubenwardy wrote:Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.Technical information on the issue is fine however.

I do not intend to post a "how to" guide on how to exploit the vulnerability. However I feel that I should explain how the vulnerability works as it is an easy mistake for mod developers to make and it is important that people are aware of how it (and similar) vulnerabilities can creep in.

Linuxdirk wrote:Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.